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Claims: 

1 . A method for detecting a substring of interest from a plurality of 
substrings that arrives out-of-order, comprising: 

receiving a substring with an index; 

determining whether a preceding span exists in a span set; 
determining whether a succeeding span exists in said span set; and 
applying an automaton having a list of substrings of interest to determine 
whether said substring matches one of said substrings of interest. 

2. The method of claim 1 , wherein if said preceding span and said 
succeeding span do not exist, then said substring is inserted into said span set. 

3. The method of claim 1 , wherein if said succeeding span does exist, then 
said substring is joined with said succeeding span to produce a join span. 

4. The method of claim 3, wherein said succeeding span is replaced by said 
join span. 

5. The method of claim 1 , wherein if said preceding span does exist, then 
said preceding span is joined with said substring to produce a join span. 

6. The method of claim 5, wherein said preceding span is replaced by said 
join span. 

7. The method of claim 1 , wherein if said preceding span and said 
succeeding span do exist, then said preceding span is joined with said substring 
to produce a join span. 

8. The method of claim 7, wherein said join span is joined with said 
succeeding span to produce a second join span. 



20 



PATENT 

Attorney Docket No.: SRI 4804-2 

9. The method of claim 8, wherein said preceding span and said 
succeeding span are replaced by said second join span. 

10. The method of claim 1 , wherein said substring is forwarded, while 
parameters of said substring are stored. 

1 1 . The method of claim 1 0, wherein said parameters comprise at least one 
of a state of said automaton, said index, a length of the substring and a prefix. 

12. The method of claim 1 , wherein said method for detecting a substring of 
interest is performed as a network monitoring function. 

13. The method of claim 1 , wherein said method for detecting a substring of 
interest is performed as an intrusion detection function. 

14. The method of claim 1 , wherein said method for detecting a substring of 
interest is performed as a firewall function. 

15. The method of claim 1 , wherein said method for detecting a substring of 
interest is performed as a routing function. 

16. The method of claim 1 , wherein said method for detecting a substring of 
interest is performed as a load balancing function. 

17. The method of claim 1 , wherein said method for detecting a substring of 
interest is performed as an anti-virus filtering function. 

18. The method of claim 1 , wherein said method for detecting a substring of 
interest is performed as an anti-spam filtering function. 

19. The method of claim 1 , wherein said method for detecting a substring of 
interest is performed as a document control function. 
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20. The method of claim 1 , wherein said method for detecting a substring of 
interest is performed as a web content filtering function. 

21 . The method of claim 1 / wherein said method for detecting a substring of 
interest is performed as a virtual private network monitoring function. 

22. The method of claim 1 , wherein said method for detecting a substring of 
interest is performed as a storage area network security function. 

23. The method of claim 10, further comprising: 

determining whether said forwarded substring is subsequently dropped 
by a target machine. 

24. The method of claim 23, wherein if said forwarded substring is 
subsequently dropped, then a connection for passing said forwarded substring 
is reset. 

25. The method of claim 24, wherein said connection is a TCP connection. 

26. An apparatus for detecting a substring of interest from a plurality of 
substrings that arrives out-of-order, comprising: 

means for receiving a substring with an index; 

means for determining whether a preceding span exists in a span set; 
means for determining whether a succeeding span exists in said span 
set; and 

means for applying an automaton having a list of substrings of interest to 
determine whether said substring matches one of said substrings of interest. 

27. The apparatus of claim 26, wherein if said preceding span and said 
succeeding span do not exist, then said substring is inserted into said span set. 

28. The apparatus of claim 26, wherein if said succeeding span does exist, 
then said substring is joined with said succeeding span to produce a join span. 
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29. The apparatus of claim 28, wherein said succeeding span is replaced by 
said join span. 

30. The apparatus of claim 26, wherein if said preceding span does exist, 
then said preceding span is joined with said substring to produce a join span. 

31 . The apparatus of claim 30, wherein said preceding span is replaced by 
said join span. 

32 The apparatus of claim 26, wherein if said preceding span and said 
succeeding span do exist, then said preceding span is joined with said substring 
to produce a join span. 

33. The apparatus of claim 32, wherein said join span is joined with said 
succeeding span to produce a second join span. 

34. The apparatus of claim 33, wherein said preceding span and said 
succeeding span are replaced by said second join span. 

35. The apparatus of claim 26', wherein said substring is forwarded, while 
parameters of said substring are stored. 

36. The apparatus of claim 35, wherein said parameters comprise at least 
one of a state of said automaton, said index, a length of the substring and a 
prefix. 

37. The apparatus of claim 26, wherein said apparatus is a network monitor. 

38. The apparatus of claim 26, wherein said apparatus an intrusion detector. 

39. The apparatus of claim 26, wherein said apparatus is a firewall. 
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40. The apparatus of claim 26, wherein said apparatus is a router. 

41 . The apparatus of claim 26, wherein said apparatus is a load balancer. 

42. The apparatus of claim 26, wherein said apparatus is an anti-virus filter. 

43. The apparatus of claim 26, wherein said apparatus is an anti-spam filter. 

44. The apparatus of claim 26, wherein said apparatus is a document 
controller. 

45. The apparatus of claim 26, wherein said apparatus is a web content filter. 

46. The apparatus of claim 26, wherein said apparatus is a virtual private 
network monitor. 

47. The apparatus of claim 26, wherein said apparatus is a storage area 
network security device. 

48. The apparatus of claim 35, further comprising: 

means for determining whether said forwarded substring is subsequently 
dropped by a target machine. 

49. The apparatus of claim 48, wherein if said forwarded substring is 
subsequently dropped, then a connection for passing said forwarded substring 
is reset. 

50. The apparatus of claim 49, wherein said connection is a TCP connection. 

51. A computer-readable medium having stored thereon a plurality of 
instructions, the plurality of instructions including instructions which, when 
executed by a processor, cause the processor to perform the steps of a method 
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for detecting a substring of interest from a plurality of substrings that arrives out- 
of-order, comprising of: 

receiving a substring with an index; 

determining whether a preceding span exists in a span set; 
determining whether a succeeding span exists in said span set; and 
applying an automaton having a list of substrings of interest to determine 
whether said substring matches one of said substrings of interest. 

52. The computer-readable medium of claim 51 , wherein if said preceding 
span and said succeeding span do not exist, then said substring is inserted into 
said span set. 

53. The computer-readable medium of claim 51 , wherein if said succeeding 
span does exist, then said substring is joined with said succeeding span to 
produce a join span. 

54. The computer-readable medium of claim 53, wherein said succeeding 
span is replaced by said join span. 

55. The computer-readable medium of claim 51 , wherein if said preceding 
span does exist, then said preceding span is joined with said substring to 
produce a join span. 

56. The computer-readable medium of claim 55, wherein said preceding 
span is replaced by said join span. 

57. The computer-readable medium of claim 51 , wherein if said preceding 
span and said succeeding span do exist, then said preceding span is joined 
with said substring to produce a join span. 

58. The computer-readable medium of claim 57, wherein said join span is 
joined with said succeeding span to produce a second join span. 
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59. The computer-readable medium of claim 58, wherein said preceding 
span and said succeeding span are replaced by said second join span. 

60. The computer-readable medium of claim 51 , wherein said substring is 
forwarded, while parameters of said substring are stored. 

61 . The computer-readable medium of claim 50, wherein said parameters 
comprise at least one of a state of said automaton, said index, a length of the 
substring and a prefix. 

62. The computer-readable medium of claim 50, further comprising: 
determining whether said forwarded substring is subsequently dropped 

by a target machine. 

63. The computer-readable medium of claim 62, wherein if said forwarded 
substring is subsequently dropped, then a connection for passing said 
forwarded substring is reset. 

64. The computer-readable medium of claim 63, wherein said connection is a 
TCP connection. 
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